That’s an elegant solution.
The only problem in my case, is that it’s not generic enough. (But it does give me an idea for an improvement.)
My script is more generic, in that 1) it can take any archive as an argument, and 2) the password can be trivially changed, without modifying the calling script.
But by extending it with your “execute a script” idea (why didn’t I think of that), it can be even more generic; I can simplify and make more generic, the main generic script; and the archived script can set any variables and invoke an arbitrary command, restic or otherwise.
The ramfs setup and teardown are both one-liners, fairly trivial, won’t swap contents to disk, and I don’t have to worry about credential bits lingering on persistent storage.